[Dovecot] maildirfolder is created world-writeable
If I create a new folder using a mail client (eg. kmail/OE), the maildirfolder file is created world-writable. I assume that this is a security risk and should be -rw-------.
eg. - create folder "Foo" in mail client
~ $ ls -la .maildir/.Foo/ total 20 drwx------ 5 robert users 4096 2009-01-21 19:56 . drwx------ 43 robert users 4096 2009-01-21 19:56 .. drwx------ 2 robert users 4096 2009-01-21 19:56 cur -rw-rw-rw- 1 robert users 0 2009-01-21 19:56 maildirfolder drwx------ 2 robert users 4096 2009-01-21 19:56 new drwx------ 2 robert users 4096 2009-01-21 19:56 tmp
Some info:
# dovecot --version 1.1.7
# dovecot -n # 1.1.7: /etc/dovecot/dovecot.conf # OS: Linux 2.6.27-gentoo-r7 x86_64 Gentoo Base System release 1.12.11.1 ssl_cert_file: /etc/ssl/dovecot/server.pem ssl_key_file: /etc/ssl/dovecot/server.key disable_plaintext_auth: no login_dir: /var/run/dovecot/login login_executable: /usr/libexec/dovecot/imap-login mail_location: maildir:~/.maildir mail_plugins: deleted_to_trash namespace: type: public separator: / prefix: Public/ location: maildir:/var/local/mail/public/ list: yes namespace: type: private separator: / inbox: yes list: yes subscriptions: yes auth default: passdb: driver: pam args: * userdb: driver: passwd
I can't find this is the bugs area.
On Wed, 2009-01-21 at 20:06 +1100, Robert S wrote:
If I create a new folder using a mail client (eg. kmail/OE), the maildirfolder file is created world-writable. I assume that this is a security risk and should be -rw-------.
Yes, it shouldn't be world-writable, fixed: http://hg.dovecot.org/dovecot-1.1/rev/22c279ca3bb4
Anyway there isn't really much danger with how it was previously, because:
The directory was created with 0700 permissions, so no-one could write to the file.
Even if someone was able to write to the file, the worst that could happen is that the owner's disk quota was reduced. The maildirfolder file is never read by Dovecot.
participants (2)
-
Robert S
-
Timo Sirainen